presseportale/tests/Feature/PressReleaseHtmlSanitizerTest.php

<?php

use App\Models\PressRelease;
use App\Services\PressRelease\PressReleaseHtmlSanitizer;

function sanitizer(): PressReleaseHtmlSanitizer
{
    return app(PressReleaseHtmlSanitizer::class);
}

test('clean strips script and style tags', function () {
    $dirty = '<p>Hallo</p><script>alert("xss")</script><style>body{}</style>';

    $clean = sanitizer()->clean($dirty);

    expect($clean)->toContain('<p>Hallo</p>');
    expect($clean)->not->toContain('<script');
    expect($clean)->not->toContain('alert');
    expect($clean)->not->toContain('<style');
});

test('clean strips iframes and event handlers', function () {
    $dirty = '<p onclick="bad()">Hallo</p><iframe src="https://evil.test"></iframe>';

    $clean = sanitizer()->clean($dirty);

    expect($clean)->not->toContain('onclick');
    expect($clean)->not->toContain('<iframe');
});

test('clean keeps allowed tags in press release allowlist', function () {
    $dirty = '<h2>Headline</h2><p>Absatz mit <strong>fett</strong> und <em>kursiv</em>.</p>'
        .'<ul><li>Punkt A</li><li>Punkt B</li></ul>'
        .'<blockquote>Zitat</blockquote>'
        .'<a href="https://example.test">Link</a>';

    $clean = sanitizer()->clean($dirty);

    expect($clean)->toContain('<h2>Headline</h2>');
    expect($clean)->toContain('<strong>fett</strong>');
    expect($clean)->toContain('<em>kursiv</em>');
    expect($clean)->toContain('<ul>');
    expect($clean)->toContain('<li>Punkt A</li>');
    expect($clean)->toContain('<blockquote>');
    expect($clean)->toContain('href="https://example.test"');
});

test('clean removes disallowed tags like h1 table img', function () {
    $dirty = '<h1>Big</h1><table><tr><td>x</td></tr></table><img src="x.jpg">';

    $clean = sanitizer()->clean($dirty);

    expect($clean)->not->toContain('<h1');
    expect($clean)->not->toContain('<table');
    expect($clean)->not->toContain('<img');
});

test('external links get rel nofollow and target blank', function () {
    $dirty = '<p><a href="https://example.test">Link</a></p>';

    $clean = sanitizer()->clean($dirty);

    expect($clean)->toContain('rel=');
    expect($clean)->toContain('nofollow');
    expect($clean)->toContain('target="_blank"');
});

test('clean returns empty string for null and whitespace input', function () {
    expect(sanitizer()->clean(null))->toBe('');
    expect(sanitizer()->clean('   '))->toBe('');
});

test('isHtml detects html content', function () {
    expect(sanitizer()->isHtml('<p>Hi</p>'))->toBeTrue();
    expect(sanitizer()->isHtml('<strong>foo</strong>'))->toBeTrue();
    expect(sanitizer()->isHtml('Plain text only'))->toBeFalse();
    expect(sanitizer()->isHtml(''))->toBeFalse();
    expect(sanitizer()->isHtml(null))->toBeFalse();
});

test('render wraps legacy plain text into paragraphs and br tags', function () {
    $plain = "Zeile eins\nZeile zwei\n\nNeuer Absatz";

    $html = (string) sanitizer()->render($plain);

    expect($html)->toContain('<p>');
    expect($html)->toContain('Zeile eins<br');
    expect($html)->toContain('Zeile zwei');
    expect($html)->toContain('Neuer Absatz');
});

test('render escapes html-special chars in legacy plain text', function () {
    $plain = 'Skript: <script>alert(1)</script>';

    $html = (string) sanitizer()->render($plain);

    expect($html)->not->toContain('<script');
    expect($html)->toContain('&lt;script');
});

test('render returns sanitized html for stored html content', function () {
    $stored = '<p>Hallo</p><script>bad()</script>';

    $html = (string) sanitizer()->render($stored);

    expect($html)->toContain('<p>Hallo</p>');
    expect($html)->not->toContain('<script');
});

test('plainTextLength counts chars without html noise', function () {
    expect(sanitizer()->plainTextLength('<p>Hallo Welt</p>'))->toBe(10);
    expect(sanitizer()->plainTextLength('<p>Eins</p> <p>Zwei</p>'))->toBe(9);
    expect(sanitizer()->plainTextLength(null))->toBe(0);
});

test('PressRelease::renderedText uses the sanitizer', function () {
    $pr = PressRelease::factory()->create([
        'text' => '<p>Hallo</p><script>bad()</script>',
    ]);

    $rendered = (string) $pr->renderedText();

    expect($rendered)->toContain('<p>Hallo</p>');
    expect($rendered)->not->toContain('<script');
});

// ============================================================
// Link-Policy (Decision-Update „Verlinkung & Backlinks", 11.06.2026)
// ============================================================

test('rendered external links carry sponsored nofollow noopener', function () {
    $html = (string) sanitizer()->render('<p><a href="https://kundenseite.example/produkt">Produkt</a></p>');

    expect($html)->toContain('rel="sponsored nofollow noopener"')
        ->and($html)->toContain('target="_blank"');
});

test('rendered internal portal links stay follow', function () {
    $html = (string) sanitizer()->render('<p><a href="https://presseecho.test/firma/alpha-gmbh">Unternehmensprofil</a></p>');

    expect($html)->not->toContain('nofollow')
        ->and($html)->not->toContain('sponsored')
        ->and($html)->toContain('href="https://presseecho.test/firma/alpha-gmbh"');
});

test('relative links are treated as internal and stay follow', function () {
    $html = (string) sanitizer()->render('<p><a href="/firma/alpha-gmbh">Profil</a></p>');

    expect($html)->not->toContain('nofollow')
        ->and($html)->not->toContain('target=');
});

test('author-supplied rel attributes are always overridden', function () {
    $html = (string) sanitizer()->render('<p><a href="https://kundenseite.example" rel="dofollow">Link</a></p>');

    expect($html)->not->toContain('dofollow')
        ->and($html)->toContain('rel="sponsored nofollow noopener"');
});

test('mailto and tel links get no rel and no target', function () {
    $html = (string) sanitizer()->render('<p><a href="mailto:presse@example.test">Mail</a></p>');

    expect($html)->not->toContain('rel=')
        ->and($html)->not->toContain('target=');
});

test('www variants of portal domains count as internal', function () {
    $html = (string) sanitizer()->render('<p><a href="https://www.presseecho.test/firma/alpha">Profil</a></p>');

    expect($html)->not->toContain('nofollow');
});